The University of Texas at Tyler
Tyler   •   Longview   •   Palestine
A centerpiece for learning,
culture and natural beauty

Securing iPads and iPhones

UT Tyler Office of Information Security

Listed below are steps you need to perform to protect the data that resides on your iPad or iPhone.

Update Firmware to the Latest Version

  • Apple iOS devices ship with the most current version of the firmware available when the device was manufactured, but new updates often address security vulnerabilities in addition to bug fixes and new features.

Require a Passcode 

  1. Tap Settings.
  2. Tap General.
  3. Tap Passcode Lock.
  4. Tap in a passcode. The passcode must be at least 4 characters in length.
  5. Tap in the same passcode.

Set Auto-Lock Timeout

  1.  Tap Settings.
  2.  Tap General.
  3.  Tap Auto-Lock.
  4.  Tap “1 Minute” or one of the other values.  Lower values are more secure.

Disable Grace Period for Lock

The grace period allows the device to be unlocked after auto-locking without providing an unlock code.  A value of "Immediately" will fix this by requiring the passcode to be entered regardless of when the device was last locked.

  1.  Tap Settings.
  2.  Tap General.
  3.  Tap Passcode Lock.
  4.  Tap Require Passcode.
  5.  Tap Immediately.

Erase Data Upon Excessive Passcode failures

Devices can be configured to automatically erase user settings and data after ten passcode failures.  As excessive passcode failures typically indicate the device is out of physical control of its owner, enabling this may protect the confidentiality of information stored on the device.

Remediation:

  1.  Tap Settings.
  2.  Tap General.
  3.  Tap Passcode Lock.
  4.  Turn on Erase Data.

Enable Fraud Warning in Safari

Fraud warning in Safari helps protect users from visiting potentially fraudulent Internet sites.  If a user navigates to a known fraudulent site covered by this service, Safari will not load the site and instead display a warning to the user about its suspect nature.

Remediation:

  1.  Tap Settings.
  2.  Tap Safari.
  3.  Tap Safari.

Enable Data Protection

With devices that support hardware encryption (iPhone 3GS and later, iPod Touch 3rd gen and later, and all iPads), iOS 4 allows applications to use an encryption key derived from a user's passcode to protect application data.  Enabling this feature is as simple as setting a passcode on the device.

To verify that data protection is enabled:

  1.  Tap Settings.
  2.  Tap General.
  3.  Tap Passcode.
  4.  "Data protection is enabled" should be displayed at the bottom of the screen.

Note: If the device originally shipped with iOS 3 (e.g. the iPhone 3GS, iPad, and iPod Touch), this feature will not be available until the device is restored after upgrading to iOS 4.  This feature is not available on older devices, such as the iPhone 3G and earlier models, at all, as they do not support hardware encryption.

It is important to understand that applications must be specifically designed to utilize data protection. Do not store or use sensitive data with applications that do not make use of data protection. More information regarding this feature is available on Apple's site at iOS 4: Understanding data protection.

Turn off Ask to Join Networks

Requiring the user to manually configure and join a Wi-Fi network reduces the risk of inadvertently joining a similarly named yet untrusted network (e.g. “defualt” instead of “default”).

Remediation:

  1.  Tap Settings.
  2.  Tap Wi-Fi.
  3.  Turn off “Ask to Join Networks”.

Turn off Bluetooth When Not Needed

  1.  Tap Settings.
  2.  Tap General.
  3.  Tap Bluetooth
  4.  Turn off Bluetooth.

Forget Wi-Fi Networks to Prevent Automatic Rejoin

By default, an iOS device will remember and automatically rejoin networks that it has previously associated with.  The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined.  Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the iPhone will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.

Remediation:

  1.  Tap Settings.
  2.  Tap Wi-Fi.
  3.  Tap the Wi-Fi network to forget.
  4.  Tap “Forget this network.”

Erase All Data Before Return, Repair or Recycle

In order to prevent an unauthorized user from being able to recover sensitive information from the device, the disk should be overwritten via the "Erase All Content and Settings" setting before it is out of the user's physical control.

To securely erase a device:

  1.  Tap Settings.
  2.  Tap General.
  3.  Tap Reset.
  4.  Tap Erase All Contents and Settings.

Enable Remote Wipe Functionality

Apple's Mobile Me service provides, among other things, the ability to track GPS enabled devices, display messages on the screen, lock a device, and wipe all data.  These features are provided free of charge to owners of iPhone 4, iPod Touch (4th gen), and iPad devices, but this does need to be setup on the device in advance (i.e. it can't be done after the device is lost.)

Encrypt Device Backups Through iTunes

In iTunes, with the device connected, check "Encrypt [devicetype] backup" under Options and select a strong password.

©